Community discussions

MikroTik App
  4. RouterOS
  5. General

Help with inter vlan routings

Post Reply
 
twyxted
just joined
Topic Author
Posts: 11
Joined: Tue Dec 12, 2017 7:50 am

Help with inter vlan routings

Mon Apr 30, 2018 9:48 am

Hi Everyone, I need help with inter-vlan routing

I have this current physical setup:

1x RB3011 UiAS-RM Router
1x Cisco SG200-50P Switch (Core Switch)
2x Cisco SG200-50 Switch

The switches were layer 2 and the necessary port trunks have been configured.
Switch 1 (Core):
Port 48 = Router
Port 49 = Switch 2
Port 50 = Switch 3

Problem:
How can I allow all Vlans to access "Vlan100 IT"? This Vlan100 IT is where our biometrics, file server, printer, etc. were connected and I need either every vlans or even just vlan 101, 102, 103, 104, 105, 110 can access to it.

Code: Select all

/interface bridge
add fast-forward=no name=LAN-Bridge
/interface ethernet
set [ find default-name=ether1 ] name=eth1-WAN1
set [ find default-name=ether2 ] name=eth2-WAN2
set [ find default-name=ether5 ] name=eth5-LAN

/interface vlan
add interface=eth5-LAN name="Vlan100 IT" vlan-id=100
add interface=eth5-LAN name="Vlan101 HR/Admin" vlan-id=101
add interface=eth5-LAN name="Vlan102 QA" vlan-id=102
add interface=eth5-LAN name="Vlan103 MC" vlan-id=103
add interface=eth5-LAN name="Vlan104 CS" vlan-id=104
add interface=eth5-LAN name="Vlan105 ConfeRm" vlan-id=105
add interface=eth5-LAN name="Vlan106 GameRm" vlan-id=106
add interface=eth5-LAN name="Vlan110 IT/Admin" vlan-id=110
add interface=eth5-LAN name="Vlan120 WiFi-Admin" vlan-id=120
add interface=eth5-LAN name="Vlan121 WiFi-Staff" vlan-id=121
add interface=eth5-LAN name="Vlan122 WiFi-Guest" vlan-id=122

/ip pool
add name=dhcp_pool1 ranges=10.7.0.51-10.7.255.254
add name=dhcp_pool2 ranges=10.7.1.2-10.7.1.254
add name=dhcp_pool3 ranges=10.7.4.2-10.7.4.254
add name=dhcp_pool4 ranges=10.7.5.2-10.7.5.254
add name=dhcp_pool5 ranges=10.7.6.2-10.7.6.254
add name=dhcp_pool6 ranges=10.7.7.2-10.7.7.254
add name=dhcp_pool7 ranges=10.7.8.2-10.7.8.254
add name=dhcp_pool8 ranges=10.7.9.2-10.7.9.254
add name=dhcp_pool9 ranges=10.7.10.2-10.7.10.254
add name=dhcp_pool10 ranges=10.7.20.2-10.7.20.254
add name=dhcp_pool11 ranges=10.7.21.2-10.7.21.254
add name=dhcp_pool12 ranges=10.7.22.2-10.7.22.254

/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 authoritative=after-2sec-delay \
disabled=no interface=LAN-Bridge lease-time=1d name=dhcp1
add address-pool=dhcp_pool2 authoritative=after-2sec-delay disabled=no \
interface="Vlan100 IT" lease-time=1d name=dhcp2
add address-pool=dhcp_pool3 authoritative=after-2sec-delay disabled=no \
interface="Vlan101 HR/Admin" lease-time=1d name=dhcp3
add address-pool=dhcp_pool4 authoritative=after-2sec-delay disabled=no \
interface="Vlan102 QA" lease-time=1d name=dhcp4
add address-pool=dhcp_pool5 authoritative=after-2sec-delay disabled=no \
interface="Vlan103 MC" lease-time=1d name=dhcp5
add address-pool=dhcp_pool6 authoritative=after-2sec-delay disabled=no \
interface="Vlan104 CS" lease-time=1d name=dhcp6
add address-pool=dhcp_pool7 authoritative=after-2sec-delay disabled=no \
interface="Vlan105 ConfeRm" lease-time=1d name=dhcp7
add address-pool=dhcp_pool8 authoritative=after-2sec-delay disabled=no \
interface="Vlan106 GameRm" lease-time=1d name=dhcp8
add address-pool=dhcp_pool9 authoritative=after-2sec-delay disabled=no \
interface="Vlan110 IT/Admin" lease-time=1d name=dhcp9
add address-pool=dhcp_pool10 authoritative=after-2sec-delay disabled=no \
interface="Vlan120 WiFi-Admin" lease-time=1d name=dhcp10
add address-pool=dhcp_pool11 authoritative=after-2sec-delay disabled=no \
interface="Vlan121 WiFi-Staff" lease-time=8h name=dhcp11
add address-pool=dhcp_pool12 authoritative=after-2sec-delay disabled=no \
interface="Vlan122 WiFi-Guest" lease-time=8h name=dhcp12

/interface bridge port
add bridge=LAN-Bridge hw=no interface=eth5-LAN
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip address
add address=10.7.0.1/16 interface=LAN-Bridge network=10.7.0.0
add address=xxx.xxx.xxx.xxx/30 interface=eth1-WAN1 network=xxx.xxx.xxx.xxx
add address=xxx.xxx.xxx.xxx/29 interface=eth2-WAN2 network=xxx.xxx.xxx.xxx
add address=10.7.1.1/24 interface="Vlan100 IT" network=10.7.1.0
add address=10.7.4.1/24 interface="Vlan101 HR/Admin" network=10.7.4.0
add address=10.7.5.1/24 interface="Vlan102 QA" network=10.7.5.0
add address=10.7.6.1/24 interface="Vlan103 MC" network=10.7.6.0
add address=10.7.7.1/24 interface="Vlan104 CS" network=10.7.7.0
add address=10.7.8.1/24 interface="Vlan105 ConfeRm" network=10.7.8.0
add address=10.7.9.1/24 interface="Vlan106 GameRm" network=10.7.9.0
add address=10.7.10.1/24 interface="Vlan110 IT/Admin" network=10.7.10.0
add address=10.7.20.1/24 interface="Vlan120 WiFi-Admin" network=10.7.20.0
add address=10.7.21.1/24 interface="Vlan121 WiFi-Staff" network=10.7.21.0
add address=10.7.22.1/24 interface="Vlan122 WiFi-Guest" network=10.7.22.0

/ip dhcp-server network
add address=10.7.0.0/16 dns-server=10.7.0.1 gateway=10.7.0.1
add address=10.7.1.0/24 dns-server=10.7.1.1 gateway=10.7.1.1
add address=10.7.4.0/24 dns-server=10.7.4.1 gateway=10.7.4.1
add address=10.7.5.0/24 dns-server=10.7.5.1 gateway=10.7.5.1
add address=10.7.6.0/24 dns-server=10.7.6.1 gateway=10.7.6.1
add address=10.7.7.0/24 dns-server=10.7.7.1 gateway=10.7.7.1
add address=10.7.8.0/24 dns-server=10.7.8.1 gateway=10.7.8.1
add address=10.7.9.0/24 dns-server=10.7.9.1 gateway=10.7.9.1
add address=10.7.10.0/24 dns-server=10.7.10.1 gateway=10.7.10.1
add address=10.7.20.0/24 dns-server=10.7.20.1 gateway=10.7.20.1
add address=10.7.21.0/24 dns-server=10.7.21.1 gateway=10.7.21.1
add address=10.7.22.0/24 dns-server=10.7.22.1 gateway=10.7.22.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=eth1-WAN1
add action=masquerade chain=srcnat out-interface=eth2-WAN2
Top
 
User avatar
artz
MikroTik Support
MikroTik Support
Posts: 88
Joined: Tue Oct 17, 2017 5:51 pm
Location: Riga
Contact:
Contact artz

Re: Help with inter vlan routings

Mon Apr 30, 2018 10:11 am

There is an error in your configuration, you have created a VLAN interface on top of a slave interface, you can read more about this case here:
https://wiki.mikrotik.com/wiki/Manual:L ... _interface

If this is all of your configuration, then with this configuration interVLAN routing is allowed between all VLANs.
If you are not able to access other VLANs, then you have probably set up a Firewall (maybe on a different device).
Last edited by artz on Mon Apr 30, 2018 11:32 am, edited 1 time in total.
Top
 
sid5632
Long time Member
Long time Member
Posts: 554
Joined: Fri Feb 17, 2017 6:05 pm

Re: Help with inter vlan routings

Mon Apr 30, 2018 10:46 am

1. Post the entire config. (with the software version). Don't leave out what you think is irrelevant.
2. Don't use ports directly once they are in a bridge e.g. "/interface vlan add interface=eth5-LAN name="Vlan100 IT" vlan-id=100" should use LAN-Bridge not eth5-LAN.
3. I don't see what the point of LAN-Bridge is in the first place.
4. Say what you have tried to determine that things aren't working. e.g. have you tried pinging anything, both from the router itself and from various devices
Top
 
twyxted
just joined
Topic Author
Posts: 11
Joined: Tue Dec 12, 2017 7:50 am

Re: Help with inter vlan routings

Mon Apr 30, 2018 11:41 am

That's what I knew as well, I thought I did the right thing however; I cannot make an inter-vlan access when trying on any computers from different vlans.

All vlans were connected and do actually have an internet access. I'm not quite sure if I should need to config anything within the bridge such as bridge vlan, bridge vlan filtering etc. as the switches I am using were layer 2 cisco smart switches.

But when I try to ping the following gateway addresses of each vlans from a client PC, it's not reachable:
10.7.10.1 (10.7.10.0/24)
10.7.20.1 (10.7.20.0/24)
10.7.21.1 (10.7.21.0/24)
10.7.22.1 (10.7.22.0/24)
10.7.4.1 (10.7.4.0/24)
10.7.5.1 (10.7.5.0/24)
10.7.6.1 (10.7.6.0/24)
10.7.7.1 (10.7.7.0/24)
10.7.8.1 (10.7.8.0/24)
10.7.9.1 (10.7.9.0/24)

Image

I'm quite new to mikrotik. Below were the vlan configurations of my cisco switches:
Switch 1 (Core Switch)
Interface Settings:
Image
Image

Vlan Membership Settings:
Image
Image

Switch 2
Interface Settings:
Image
Image

Vlan Membership Settings:
Image
Image

Switch 3
Interface Settings:
Image
Image

Vlan Membership Settings:
Image
Image
Top
 
twyxted
just joined
Topic Author
Posts: 11
Joined: Tue Dec 12, 2017 7:50 am

Re: Help with inter vlan routings

Mon Apr 30, 2018 11:54 am

I see, thank you everyone. Will try it again
Top
 
twyxted
just joined
Topic Author
Posts: 11
Joined: Tue Dec 12, 2017 7:50 am

Re: Help with inter vlan routings

Mon Apr 30, 2018 12:30 pm

I have changed the vlan interface which is on slave interface

here's the complete config:

Code: Select all

# apr/30/2018 17:21:42 by RouterOS 6.41.4
# software id = LB6W-3FQY
#
# model = RouterBOARD 3011UiAS
# serial number = 783E0773A6D3
/interface bridge
add fast-forward=no name=LAN-Bridge
/interface ethernet
set [ find default-name=ether1 ] name=eth1-WAN1
set [ find default-name=ether2 ] name=eth2-WAN2
set [ find default-name=ether5 ] name=eth5-LAN
/interface gre
add clamp-tcp-mss=no !keepalive local-address=xxx.xx.xx.xxx name=ph1-sg remote-address=\
xxx.xxx.xxx.xxx
add clamp-tcp-mss=no !keepalive local-address=xxx.xxx.xxx.xx name=ph2-twzz remote-address=\
xx.xxx.xxx.xx
/interface vlan
add interface=LAN-Bridge name="Vlan100 IT" vlan-id=100
add interface=LAN-Bridge name="Vlan101 HR/Admin" vlan-id=101
add interface=LAN-Bridge name="Vlan102 QA" vlan-id=102
add interface=LAN-Bridge name="Vlan103 MC" vlan-id=103
add interface=LAN-Bridge name="Vlan104 CS" vlan-id=104
add interface=LAN-Bridge name="Vlan105 ConfeRm" vlan-id=105
add interface=LAN-Bridge name="Vlan106 GameRm" vlan-id=106
add interface=LAN-Bridge name="Vlan110 IT/Admin" vlan-id=110
add interface=LAN-Bridge name="Vlan120 WiFi-Admin" vlan-id=120
add interface=LAN-Bridge name="Vlan121 WiFi-Staff" vlan-id=121
add interface=LAN-Bridge name="Vlan122 WiFi-Guest" vlan-id=122
/interface list
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add comment=Streaming name=streaming regexp=\
"^..+\\.(youtube.com|googlevideo.com|twitch.tv|akamaihd.net).*\$"
add comment=Facebook name=facebook regexp="^(.*)(facebook)(.*)\\\$"
add comment="Google Playstore" name=google-playstore regexp=\
"^..+\\.(play.googleapis.com|android.clients.google.com|lh3.googleusercontent.com).*\$"
add comment=Torrent name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scr\
ape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1\
:ad2:id20:|\\x08'7P\\)[RP]"
/ip pool
add name=dhcp_pool2 ranges=10.7.1.2-10.7.1.254
add name=dhcp_pool3 ranges=10.7.4.2-10.7.4.254
add name=dhcp_pool4 ranges=10.7.5.2-10.7.5.254
add name=dhcp_pool5 ranges=10.7.6.2-10.7.6.254
add name=dhcp_pool6 ranges=10.7.7.2-10.7.7.254
add name=dhcp_pool7 ranges=10.7.8.2-10.7.8.254
add name=dhcp_pool8 ranges=10.7.9.2-10.7.9.254
add name=dhcp_pool9 ranges=10.7.10.2-10.7.10.254
add name=dhcp_pool10 ranges=10.7.20.2-10.7.20.254
add name=dhcp_pool11 ranges=10.7.21.2-10.7.21.254
add name=dhcp_pool12 ranges=10.7.22.2-10.7.22.254
/ip dhcp-server
add address-pool=dhcp_pool2 authoritative=after-2sec-delay disabled=no interface=\
"Vlan100 IT" lease-time=1d name=dhcp2
add address-pool=dhcp_pool3 authoritative=after-2sec-delay disabled=no interface=\
"Vlan101 HR/Admin" lease-time=1d name=dhcp3
add address-pool=dhcp_pool4 authoritative=after-2sec-delay disabled=no interface=\
"Vlan102 QA" lease-time=1d name=dhcp4
add address-pool=dhcp_pool5 authoritative=after-2sec-delay disabled=no interface=\
"Vlan103 MC" lease-time=1d name=dhcp5
add address-pool=dhcp_pool6 authoritative=after-2sec-delay disabled=no interface=\
"Vlan104 CS" lease-time=1d name=dhcp6
add address-pool=dhcp_pool7 authoritative=after-2sec-delay disabled=no interface=\
"Vlan105 ConfeRm" lease-time=1d name=dhcp7
add address-pool=dhcp_pool8 authoritative=after-2sec-delay disabled=no interface=\
"Vlan106 GameRm" lease-time=1d name=dhcp8
add address-pool=dhcp_pool9 authoritative=after-2sec-delay disabled=no interface=\
"Vlan110 IT/Admin" lease-time=1d name=dhcp9
add address-pool=dhcp_pool10 authoritative=after-2sec-delay disabled=no interface=\
"Vlan120 WiFi-Admin" lease-time=1d name=dhcp10
add address-pool=dhcp_pool11 authoritative=after-2sec-delay disabled=no interface=\
"Vlan121 WiFi-Staff" lease-time=8h name=dhcp11
add address-pool=dhcp_pool12 authoritative=after-2sec-delay disabled=no interface=\
"Vlan122 WiFi-Guest" lease-time=8h name=dhcp12
/queue tree
add max-limit=10M name="All Bandwidth" parent=global priority=1
add max-limit=10M name=Download packet-mark=client-dw-packet parent="All Bandwidth" \
priority=1
add max-limit=10M name=Upload packet-mark=client-up-packet parent="All Bandwidth" priority=\
1
/queue type
add kind=pcq name=pcq-download-stream pcq-classifier=dst-address
add kind=pcq name=pcq-upload-stream pcq-classifier=dst-address
add kind=pcq name=pcq-download-facebook pcq-classifier=dst-address
add kind=pcq name=pcq-upload-facebook pcq-classifier=dst-address
add kind=pcq name=pcq-download-livechat pcq-classifier=dst-address
add kind=pcq name=pcq-upload-livechat pcq-classifier=dst-address
add kind=pcq name=pcq-download-android pcq-classifier=dst-address pcq-dst-address6-mask=64 \
pcq-src-address6-mask=64 pcq-total-limit=5000KiB
add kind=pcq name=pcq-upload-android pcq-classifier=dst-address pcq-dst-address6-mask=64 \
pcq-src-address6-mask=64 pcq-total-limit=3000KiB
set 14 pcq-rate=2M
/queue tree
add max-limit=5M name=http-dw packet-mark=http-dw-packet parent=Download priority=3 queue=\
pcq-download-default
add max-limit=3M name=other-dw packet-mark=other-dw-packet parent=Download priority=2 \
queue=pcq-download-default
add max-limit=6M name=http-up packet-mark=http-up-packet parent=Upload priority=3 queue=\
pcq-upload-default
add max-limit=5M name=other-up packet-mark=other-up-packet parent=Upload priority=2 queue=\
pcq-upload-default
add max-limit=2M name=facebook-dw packet-mark=facebook-dw-packets parent=Download priority=\
7 queue=pcq-download-facebook
add max-limit=2M name=facebook-up packet-mark=facebook-up-conn parent=Upload priority=7 \
queue=pcq-upload-facebook
add max-limit=10M name=backend-dw packet-mark=backend-dw-packet parent=Download priority=1 \
queue=pcq-download-default
add max-limit=10M name=backend-up packet-mark=backend-up-packet parent=Upload priority=1 \
queue=pcq-upload-default
add max-limit=10M name=qq-dw packet-mark=QQ-dw-packet parent=Download priority=1 queue=\
pcq-download-default
add max-limit=10M name=qq-up packet-mark=QQ-up-packet parent=Upload priority=1 queue=\
pcq-download-default
add max-limit=1M name=streaming-dw packet-mark=streaming-dw-packets parent=Download queue=\
pcq-download-stream
add max-limit=1M name=streaming-up packet-mark=streaming-up-packets parent=Upload queue=\
pcq-download-stream
add max-limit=10M name=livechat-dw packet-mark=LiveChat-dw-packets parent=Download \
priority=1 queue=pcq-download-livechat
add max-limit=10M name=livechat-up packet-mark=LiveChat-up-packets parent=Upload priority=1 \
queue=pcq-upload-livechat
add max-limit=8M name=android-dw packet-mark=google-playstore-dw-packets parent=Download \
priority=2 queue=pcq-download-android
add max-limit=8M name=android-up packet-mark=google-playstore-up-packets parent=Upload \
priority=2 queue=pcq-upload-android
add max-limit=10M name=mail-igg-dw packet-mark=mail-igg-dw-packets parent=Download \
priority=1 queue=pcq-download-default
add max-limit=10M name=mail-igg-up packet-mark=mail-igg-up-packets parent=Upload priority=1 \
queue=pcq-download-default
/routing ospf area
add area-id=x.x.x.x name=phoffice
/routing ospf instance
set [ find default=yes ] router-id=x.x.x.x
/snmp community
set [ find default=yes ] addresses=xx.x.x.xx/32
/interface bridge port
add bridge=LAN-Bridge hw=no interface=eth5-LAN
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip address
add address=10.7.0.1/16 interface=LAN-Bridge network=10.7.0.0
add address=xxx.xxx.xxx.xx/30 interface=eth1-WAN1 network=xxx.xxx.xxx.xx
add address=xxx.xx.xx.xxx/29 interface=eth2-WAN2 network=xxx.xx.xx.xxx
add address=10.7.1.1/24 interface="Vlan100 IT" network=10.7.1.0
add address=10.7.4.1/24 interface="Vlan101 HR/Admin" network=10.7.4.0
add address=10.7.5.1/24 interface="Vlan102 QA" network=10.7.5.0
add address=10.7.6.1/24 interface="Vlan103 MC" network=10.7.6.0
add address=10.7.7.1/24 interface="Vlan104 CS" network=10.7.7.0
add address=10.7.8.1/24 interface="Vlan105 ConfeRm" network=10.7.8.0
add address=10.7.9.1/24 interface="Vlan106 GameRm" network=10.7.9.0
add address=10.7.10.1/24 interface="Vlan110 IT/Admin" network=10.7.10.0
add address=10.7.20.1/24 interface="Vlan120 WiFi-Admin" network=10.7.20.0
add address=10.7.21.1/24 interface="Vlan121 WiFi-Staff" network=10.7.21.0
add address=10.7.22.1/24 interface="Vlan122 WiFi-Guest" network=10.7.22.0
add address=xx.xxx.xxx.xx/30 interface=ph1-sg network=xx.xxx.xxx.xx
add address=xx.xxx.xxx.xx/30 interface=ph2-twzz network=xx.xxx.xxx.xx
/ip dhcp-server network
add address=10.7.0.0/16 dns-server=10.7.0.1 gateway=10.7.0.1
add address=10.7.1.0/24 dns-server=10.7.1.1 gateway=10.7.1.1
add address=10.7.4.0/24 dns-server=10.7.4.1 gateway=10.7.4.1
add address=10.7.5.0/24 dns-server=10.7.5.1 gateway=10.7.5.1
add address=10.7.6.0/24 dns-server=10.7.6.1 gateway=10.7.6.1
add address=10.7.7.0/24 dns-server=10.7.7.1 gateway=10.7.7.1
add address=10.7.8.0/24 dns-server=10.7.8.1 gateway=10.7.8.1
add address=10.7.9.0/24 dns-server=10.7.9.1 gateway=10.7.9.1
add address=10.7.10.0/24 dns-server=10.7.10.1 gateway=10.7.10.1
add address=10.7.20.0/24 dns-server=10.7.20.1 gateway=10.7.20.1
add address=10.7.21.0/24 dns-server=10.7.21.1 gateway=10.7.21.1
add address=10.7.22.0/24 dns-server=10.7.22.1 gateway=10.7.22.1
/ip dns
set allow-remote-requests=yes servers=xxx.xxx.xxx.xxx,1.1.1.1,xxx.xxx.xxx.xxx,8.8.8.8
/ip firewall filter
add action=add-src-to-address-list address-list=Torrent_Users address-list-timeout=\
none-dynamic chain=forward comment="RECORD AND DROP TORRENT USERS" in-interface=\
LAN-Bridge layer7-protocol=bittorrent src-address-list=""
add action=drop chain=forward dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 \
protocol=tcp src-address-list=Torrent_Users
add action=drop chain=forward dst-port=!0-1024,8291,5900,5800,3389,14147,5222,59905 \
protocol=udp src-address-list=Torrent_Users
add action=accept chain=input comment="ALLOW DNS CACHE" connection-state=established \
in-interface=eth1-WAN1
add action=accept chain=input connection-state=established in-interface=eth2-WAN2
add action=accept chain=input protocol=icmp
add action=accept chain=input protocol=gre
add action=accept chain=input protocol=ospf src-address=xxx.xxx.xxx.xxx/24
add action=drop chain=input comment="BLOCK DNS REQUEST ON WAN INTERFACE" dst-port=53 \
protocol=udp src-address=!10.7.0.0/16
add action=drop chain=input comment="DROP FTP BRUTE FORCERS" dst-port=21 protocol=tcp \
src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h \
chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="DROP SSH BRUTE FORCERS" dst-port=2200 protocol=tcp \
src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d \
chain=input connection-state=new dst-port=2200 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=\
input connection-state=new dst-port=2200 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=\
input connection-state=new dst-port=2200 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=\
input connection-state=new dst-port=2200 protocol=tcp
add action=accept chain=forward connection-state=established,related dst-address=\
10.7.0.0/16 src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.7.0.250 dst-port=80 protocol=tcp \
src-address=10.0.0.0/8
add action=drop chain=forward dst-address=10.7.0.0/16 src-address=10.0.0.0/8
add action=drop chain=forward comment="VIRUS / PORTS FLOODING PREVENTION" dst-port=445 \
protocol=tcp src-address-list=Worm-Infected-p445
add action=drop chain=forward dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445
add action=accept chain=forward comment="INTERVLAN: Vlan103_MC to Vlan104_CS" disabled=yes \
in-interface="Vlan103 MC" out-interface="Vlan104 CS"
add action=accept chain=forward comment="INTERVLAN: Vlan104_CS to Vlan103_MC" disabled=yes \
in-interface="Vlan104 CS" out-interface="Vlan103 MC"
add action=accept chain=forward comment="INTERVLAN: Vlan100_IT to Vlan101_HR/Admin" \
disabled=yes in-interface="Vlan100 IT" out-interface="Vlan101 HR/Admin"
add action=accept chain=forward comment="INTERVLAN: Vlan101_HR/Admin to Vlan100_IT" \
disabled=yes in-interface="Vlan101 HR/Admin" out-interface="Vlan100 IT"
/ip firewall mangle
add action=change-mss chain=postrouting new-mss=1436 out-interface=ph2-twzz passthrough=yes \
protocol=tcp tcp-flags=syn tcp-mss=1436-65495
add action=change-mss chain=postrouting new-mss=1436 out-interface=ph1-sg passthrough=yes \
protocol=tcp tcp-flags=syn tcp-mss=1436-65495
add action=add-src-to-address-list address-list=Worm-Infected-p445 address-list-timeout=1h \
chain=prerouting comment="VIRUS / PORTS FLOODING PREVENTION" connection-state=new \
dst-port=445 limit=5,10:packet protocol=tcp
add action=mark-connection chain=forward comment=client-dw-con in-interface=eth1-WAN1 \
new-connection-mark=client-dw-con passthrough=yes
add action=mark-packet chain=forward comment=client-dw-packet connection-mark=client-dw-con \
new-packet-mark=client-dw-packet passthrough=yes
add action=mark-connection chain=prerouting comment=client-up-con in-interface=LAN-Bridge \
new-connection-mark=client-up-con passthrough=yes
add action=mark-packet chain=prerouting comment=client-up-packet connection-mark=\
client-up-con new-packet-mark=client-up-packet passthrough=yes
add action=mark-packet chain=forward comment=backend-dw-packet connection-mark=\
client-dw-con new-packet-mark=backend-dw-packet passthrough=no port=443 protocol=tcp \
src-address=xxx.xxx.xxx.xxx
add action=mark-packet chain=forward comment=backend-up-packet connection-mark=\
client-up-con dst-address=xxx.xxx.xxx.xxx new-packet-mark=backend-up-packet passthrough=\
no port=443 protocol=tcp
add action=mark-connection chain=forward comment=LiveChat-dw-conn in-interface=eth1-WAN1 \
new-connection-mark=LiveChat-dw-conn passthrough=yes port=8090 protocol=tcp
add action=mark-packet chain=forward comment=LiveChat-dw-packets connection-mark=\
LiveChat-dw-conn new-packet-mark=LiveChat-dw-packets passthrough=no
add action=mark-connection chain=prerouting comment=LiveChat-up-conn dst-address=\
xxx.xxx.xxx.xxx in-interface=LAN-Bridge new-connection-mark=LiveChat-up-conn passthrough=\
yes port=8090 protocol=tcp
add action=mark-packet chain=forward comment=LiveChat-up-packets connection-mark=\
LiveChat-up-conn new-packet-mark=LiveChat-up-packets passthrough=no
add action=mark-packet chain=forward comment=mail-igg-dw-packets connection-mark=\
client-dw-con in-interface=eth1-WAN1 new-packet-mark=mail-igg-dw-packets passthrough=no \
protocol=tcp src-address=xxx.xxx.xxx.xxx
add action=mark-packet chain=forward comment=mail-igg-up-packets connection-mark=\
client-up-con dst-address=xxx.xxx.xxx.xxx new-packet-mark=mail-igg-up-packets \
out-interface=LAN-Bridge passthrough=no protocol=tcp
add action=mark-packet chain=forward comment=QQ-dw-packet connection-mark=client-dw-con \
new-packet-mark=QQ-dw-packet passthrough=no port=4000,4001,4002,4003,4004,53373,57699 \
protocol=udp
add action=mark-packet chain=forward comment=QQ-up-packet connection-mark=client-up-con \
new-packet-mark=QQ-up-packet passthrough=yes port=4000,4001,4002,4003,4004,53373,57699 \
protocol=udp
add action=mark-connection chain=forward comment=google-playstore-dw-conn in-interface=\
eth1-WAN1 layer7-protocol=google-playstore new-connection-mark=google-playstore-dw-conn \
passthrough=yes
add action=mark-packet chain=forward comment=google-playstore-dw-packets connection-mark=\
google-playstore-dw-conn new-packet-mark=google-playstore-dw-packets passthrough=no
add action=mark-connection chain=prerouting comment=google-playstore-up-conn in-interface=\
LAN-Bridge layer7-protocol=google-playstore new-connection-mark=\
google-playstore-up-conn passthrough=yes
add action=mark-packet chain=forward comment=google-playstore-up-packets connection-mark=\
google-playstore-up-conn new-packet-mark=google-playstore-up-packets passthrough=no
add action=mark-connection chain=forward comment=torrent-dw-conn in-interface=eth1-WAN1 \
layer7-protocol=bittorrent new-connection-mark=torrent-dw-conn passthrough=yes
add action=mark-packet chain=forward comment=torrent-dw-packets connection-mark=\
torrent-dw-conn new-packet-mark=torrent-dw-packets passthrough=no
add action=mark-connection chain=prerouting comment=torrent-up-conn in-interface=LAN-Bridge \
layer7-protocol=bittorrent new-connection-mark=torrent-up-conn passthrough=yes
add action=mark-packet chain=forward comment=torrent-up-packets connection-mark=\
torrent-up-conn new-packet-mark=torrent-up-packets passthrough=no
add action=mark-connection chain=forward comment=facebook-dw-conn in-interface=eth1-WAN1 \
layer7-protocol=facebook new-connection-mark=facebook-dw-conn passthrough=yes
add action=mark-packet chain=forward comment=facebook-dw-packets connection-mark=\
facebook-dw-conn new-packet-mark=facebook-dw-packets passthrough=no
add action=mark-connection chain=prerouting comment=facebook-up-conn in-interface=\
LAN-Bridge layer7-protocol=facebook new-connection-mark=facebook-up-conn passthrough=\
yes
add action=mark-packet chain=forward comment=facebook-up-packets connection-mark=\
facebook-up-conn new-packet-mark=facebook-up-packets passthrough=no
add action=mark-connection chain=forward comment=streaming-dw-conn in-interface=eth1-WAN1 \
layer7-protocol=streaming new-connection-mark=streaming-dw-conn passthrough=yes
add action=mark-packet chain=forward comment=streaming-dw-packets connection-mark=\
streaming-dw-conn new-packet-mark=streaming-dw-packets passthrough=no
add action=mark-connection chain=prerouting comment=streaming-up-conn in-interface=\
LAN-Bridge layer7-protocol=streaming new-connection-mark=streaming-up-conn passthrough=\
yes
add action=mark-packet chain=forward comment=streaming-up-packets connection-mark=\
streaming-up-conn new-packet-mark=streaming-up-packets passthrough=no
add action=mark-packet chain=forward comment=http-dw-packet new-packet-mark=http-dw-packet \
packet-mark=client-dw-packet passthrough=no port=80,443 protocol=tcp
add action=mark-packet chain=forward comment=http-up-packet new-packet-mark=http-up-packet \
packet-mark=client-up-packet passthrough=no port=80,443 protocol=tcp
add action=mark-packet chain=forward comment=other-dw-packet new-packet-mark=\
other-dw-packet packet-mark=client-dw-packet passthrough=no
add action=mark-packet chain=forward comment=other-up-packet new-packet-mark=\
other-up-packet packet-mark=client-up-packet passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=eth1-WAN1
add action=masquerade chain=srcnat out-interface=eth2-WAN2
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set dccp disabled=yes
/ip route
add distance=1 gateway=xxx.xxx.xxx.xxx
add distance=2 gateway=xxx.xxx.xxx.xxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=never read-only-mode=yes
/routing ospf area range
add area=phoffice range=10.7.0.0/16
add area=backbone range=xxx.xxx.xxx.xxx/24
/routing ospf interface
add interface=ph2-twzz network-type=point-to-point
add interface=ph1-sg network-type=point-to-point
/routing ospf network
add area=phoffice network=10.7.0.0/16
add area=backbone network=xxx.xxx.xxx.xxx/30
add area=backbone network=xxx.xxx.xxx.xxx/30
/snmp
set enabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Singapore
/system identity
set name=IGGPH
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool netwatch
add host=8.8.8.8
add host=8.8.4.4
add host=208.67.220.220
add host=208.67.222.222
/tool sniffer
set file-limit=30000KiB file-name=packettest filter-interface=eth1-WAN1
Top
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Help with inter vlan routings

Mon Apr 30, 2018 7:32 pm

I can see the following:

Code: Select all
/ip firewall filter
add action=accept chain=forward connection-state=established,related dst-address=10.7.0.0/16 src-address=10.0.0.0/8
...
add action=drop chain=forward dst-address=10.7.0.0/16 src-address=10.0.0.0/8

while
Code: Select all
/ip address
add address=10.7.1.1/24 interface="Vlan100 IT" network=10.7.1.0


So any new connection towards the subnet of
Code: Select all
Vlan100 IT
cannot be established as
Code: Select all
10.7.1.0/24
fits into
Code: Select all
10.7.0.0/16
and the subnets of all the other VLANs fit into
Code: Select all
10.0.0.0/8
.

Supposing that the purpose of that last filter rule above was to separate other VLANs from each other, you need to put an exception rule just before it in order to permit access to
Code: Select all
Vlan100 IT
from all other vlans:
Code: Select all
add action=accept dst-address=10.7.1.0/24 src-address=10.0.0.0/8


The firewall rules are quite messy in general, as there is no "drop the rest" rule in the end of filter chains
Code: Select all
input
and
Code: Select all
forward
, and the default policy in RouterOS is always
Code: Select all
accept
.
Top
 
twyxted
just joined
Topic Author
Posts: 11
Joined: Tue Dec 12, 2017 7:50 am

Re: Help with inter vlan routings

Wed May 02, 2018 10:06 am

Hi, still my vlans can't communicate with each other.

Vlans were now under the bridge interface instead of the slave interface

I disabled these rules already as it has been added by my colleague from our HQ:

Code: Select all

/ip firewall filter
add action=accept chain=forward connection-state=established,related dst-address=10.7.0.0/16 src-address=10.0.0.0/8
...
add action=drop chain=forward dst-address=10.7.0.0/16 src-address=10.0.0.0/8
LAN IP: 10.7.0.1/16 still can't ping the vlan's ip addresses
Top
Post Reply

Who is online

Users browsing this forum: GoogleOther [Bot], RobertsN, Strange0ne, svmk, vaio73, vetal12311, vikashdh and 130 guests
  4. RouterOS
  5. General